The Coq Proof Assistant

Size: px

Start display at page:

Download "The Coq Proof Assistant"

Stephanie Dawson
5 years ago
Views:

1 The Coq Proof Assistant Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan October 15, 2018 Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

2 Outline 1 The Coq Proof Assistant Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

3 The Coq Proof Assistant Coq is a proof assistant which checks every proof steps. It has been developed by Institut national de recherche en informatique et en automatique (INRIA) at France since It is used to check the proofs of the four color theorem (September 2004) and Feit-Thompson theorem (September 2012). It is also used in the CompCert project to formally verify an optimizing C compiler for PowerPC, ARM, and 32-bit x86 processors (2005). Coq is available on various platforms. The contents of this lecture are borrowed from Coq Tutorial. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

4 Using Coq We start up and exit Coq as follows. $ coqtop Welcome to Coq 8.3 pl4 ( April 2012) Coq < Quit. $ Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

5 Prop, Set, and Type A sort classifies specifications. a logical proposition has the sort Prop; a mathematical collection has the sort Set; and an abstract type has the sort Type. Every Coq expression has a sort. Coq < Check False. False : Prop Coq < Check nat. nat : Set Coq < Check O. 0 : nat Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

6 Basic Proof Tactics I Let us do some simple proofs. We first set up our context. Coq < Section Simple. Coq < Hypothesis P Q : Prop. P is assumed Q is assumed In this code, we start a section called Simple. We also make two hypotheses. Both P and Q are logical propositions. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

7 Basic Proof Tactics II We first show P P. Coq < Lemma one_ line : P -> P. P : Prop Q : Prop P -> P We declare a lemma called one line. Coq asks us to show P P from the hypotheses P and Q. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

8 Basic Proof Tactics III The tactic intros introduces new hypotheses with the given name. one_ line < intros HP. P : Prop Q : Prop HP : P P How does intros compare to the i rule? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

9 Basic Proof Tactics IV The tactic exact uses the named hypothesis. one_ line < exact HP. Proof completed. The command Qed finishes up the lemma. one_ line < Qed. intros HP. exact HP. one_ line is defined Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

10 Basic Proof Tactics V We can check our new lemma and print its proof. Coq < Check one_ line. one_ line : P -> P Coq < Print one_ line. one_ line = fun HP : P => HP : P -> P Observe how our proof is represented in Coq. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

11 Basic Proof Tactics VI Tactics start with lowercase letters such as intros and exact. We use tactics to construct formal proofs. Commands on the other hand start with uppercase letters such as Quit, Section, Lemma, Qed, Print. We use commands to operate Coq. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

12 Basic Proof Tactics VII Let us prove P (P Q) Q. Coq < Lemma MP : P -> ( P -> Q) -> Q. P : Prop Q : Prop P -> (P -> Q) -> Q MP < intros HP HI. P : Prop Q : Prop HP : P HI : P -> Q Q Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

13 Basic Proof Tactics VIII The tactic apply matches the conclusion with the named hypothesis and lists unresolved conditions. MP < apply HI. P : Prop Q : Prop HP : P HI : P -> Q P MP < exact HP. Proof completed. How does apply compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

14 Basic Proof Tactics IX Let us finish up the lemma and see the proof term. MP < Qed. intros HP HI. apply HI. exact HP. MP is defined Coq < Print MP. MP = fun ( HP : P) ( HI : P -> Q) => HI HP : P -> (P -> Q) -> Q Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

15 Basic Proof Tactics X Let us prove P Q Q P. Coq < Lemma conj_ comm : P /\ Q -> Q /\ P. P : Prop Q : Prop P /\ Q -> Q /\ P conj_ comm < intros conj. P : Prop Q : Prop conj : P /\ Q Q /\ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

16 Basic Proof Tactics XI The tactic elim eliminates a named hypothesis. conj_ comm < elim conj. P : Prop Q : Prop conj : P /\ Q P -> Q -> Q /\ P Observe that P Q is decomposed into P and Q. How does elim compare to e 1 and e 2? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

17 Basic Proof Tactics XII We introduce two more hypotheses HP and HQ. conj_ comm < intros HP HQ. P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q Q /\ P Now we can use the hypotheses HP and HQ. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

18 Basic Proof Tactics XIII The tactic split splits a conjunction into two. conj_ comm < split. 2 subgoals P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q Q subgoal 2 is: P How does split compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

19 Basic Proof Tactics XIV We use hypotheses to prove the lemma. conj_ comm < exact HQ. P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q P conj_ comm < exact HP. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

20 Basic Proof Tactics XV Let us finish up the lemma and see its proof term. conj_ comm < Qed. intros conj. elim conj. intros HP HQ. split. exact HQ. exact HP. conj_ comm is defined Coq < Print conj_ comm. conj_ comm = fun conj0 : P /\ Q => and_ind ( fun (HP : P) (HQ : Q) => conj HQ HP) conj0 : P /\ Q -> Q /\ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

21 Basic Proof Tactics XVI Let us try to prove P Q Q P. Coq < Lemma disj_ comm : P \/ Q -> Q \/ P. P : Prop Q : Prop P \/ Q -> Q \/ P disj_ comm < intros disj. P : Prop Q : Prop disj : P \/ Q Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

22 Basic Proof Tactics XVII We eliminate the hypothesis disj. disj_ comm < elim disj. 2 subgoals P : Prop Q : Prop disj : P \/ Q P -> Q \/ P subgoal 2 is: Q -> Q \/ P How does elim compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

23 Basic Proof Tactics XVIII We next introduce a new hypothesis P. disj_ comm < intros HP. 2 subgoals P : Prop Q : Prop disj : P \/ Q HP : P Q \/ P subgoal 2 is: Q -> Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

24 Basic Proof Tactics XIX The tactic right selects the left operand in a disjunction. disj_ comm < right. 2 subgoals P : Prop Q : Prop disj : P \/ Q HP : P P subgoal 2 is: Q -> Q \/ P How does right compare to i 2? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

25 Basic Proof Tactics XX The tactic assumption searches an exact hypothesis for the conclusion. disj_ comm < assumption. P : Prop Q : Prop disj : P \/ Q Q -> Q \/ P We can combine a sequence of tactics by semicolon (;). disj_ comm < intros HQ; left ; assumption. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

26 Basic Proof Tactics XXI We finish up the lemma and print our proof. disj_ comm < Qed. intros disj. elim disj. intros HP. right. assumption. intros HQ; left ; assumption. disj_ comm is defined Coq < Print disj_ comm. disj_ comm = fun disj : P \/ Q => or_ind ( fun HP : P => or_ intror Q HP) ( fun HQ : Q => or_ introl P HQ) disj : P \/ Q -> Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

27 Basic Proof Tactics XXII Let us prove a lemma about double negation: P P. Coq < Lemma PNNP : P -> ~~ P. P : Prop Q : Prop P -> ~ ~ P PNNP < intros HP. P : Prop Q : Prop HP : P ~ ~ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

28 Basic Proof Tactics XXIII In Coq, P is a shorthand for P. We use red to expand a toplevel shorthand. PNNP < red. P : Prop Q : Prop HP : P ~ P -> False Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

29 Basic Proof Tactics XXIV We introduce another hypothesis P. PNNP < intros HNP. P : Prop Q : Prop HP : P HNP : ~ P False How does this intros compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

30 Basic Proof Tactics XXV We have P and P. The tactic absurd P exploits the contraction. PNNP < absurd P. 2 subgoals P : Prop Q : Prop HP : P HNP : ~ P ~ P subgoal 2 is: P How does absurd compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

31 Basic Proof Tactics XXVI The tactic trivial performs a simple proof search. PNNP < trivial. P : Prop Q : Prop HP : P HNP : ~ P P PNNP < trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

32 Basic Proof Tactics XXVII Let us finish up the lemma, conclude the section, and check it. PNNP < Qed. intros HP. red. intros HNP. absurd P. trivial. trivial. PNNP is defined Coq < End Simple. Coq < Check PNNP. PNNP : forall P : Prop, P -> ~ ~ P Note the hypothesis P is generalized after closing the section. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

33 Basic Proof Tactics XXVIII Coq actually provides a complete tactic tauto. Coq < Hypotheses P Q R S : Prop. P is assumed Q is assumed R is assumed S is assumed Coq < Hypothesis H0 : (P /\ Q) -> R. H0 is assumed Coq < Hypothesis H1 : R -> S. H1 is assumed Coq < Hypothesis H2 : Q /\ ~S. H2 is assumed Coq < Lemma homework : ~P. P : Prop Q : Prop R : Prop S : Prop H0 : P /\ Q -> R H1 : R -> S H2 : Q /\ ~ S ~ P homework < tauto. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

34 Basic Proof Tactics XXIX Coq in fact uses intuitionistic logic. Coq < Goal forall P : Prop, P \/ ~P. forall P : Prop, P \/ ~ P Unnamed_thm < tauto. Toplevel input, characters 0-5: > tauto. > ^^^^^ Error : tauto failed. Goal declares an unnamed lemma. To do classical logic, add Coq < Require Import Classical. Coq < Check classic. classic : forall P : Prop, P \/ ~ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

35 More Proof Tactics I Let us set up a section for predicate logic. Coq < Section Easy. Coq < Hypothesis D : Set. D is assumed Coq < Hypothesis R : D -> D -> Prop. R is assumed In a new section, we declare a set D and a binary predicate symbol R. Let us set up a subsection where R is symmetric and transitive. Coq < Section R_sym_trans. Coq < Hypothesis R_symmetric : forall x y : D, R x y -> R y x. R_symmetric is assumed Coq < Hypothesis R_transitive : forall x y z : D, R x y -> R y z -> R x z. R_transitive is assumed Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

36 More Proof Tactics II Let us prove x D( y D, (Rxy) Rxx). Coq < Lemma refl_if : forall x : D, ( exists y, R x y) -> R x x. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z forall x : D, ( exists y : D, R x y) -> R x x Our predicate logic formula is written as forall x : D, (exists y, R x y) -> R x x. Observe that we did not specify y D but Coq infers it anyway. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

37 More Proof Tactics III The tactic intros again introduces a new hypothesis. refl_if < intros x. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D ( exists y : D, R x y) -> R x x How does it compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

38 More Proof Tactics IV We introduce another hypothesis y D(Rxy). refl_if < intros Ey. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y R x x This is simply i. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

39 More Proof Tactics V Let us eliminate y D(Rxy). refl_if < elim Ey. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y forall x0 : D, R x x0 -> R x x How does elim compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

40 More Proof Tactics VI We get the instance of y D(Rxy) by intros. refl_if < intros y Rxy. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x x Now elim and intros look really like e. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

41 More Proof Tactics VII We apply the hypothesis R transitive. refl_if < apply R_transitive with y. 2 subgoals D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x y subgoal 2 is: R y x Note that we need to give the hint y. How does apply compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

42 More Proof Tactics VIII The first subgoal is trivial. refl_if < trivial. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R y x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

43 More Proof Tactics IX For the other subgoal, we apply xy D(Rxy Ryx). refl_if < apply R_symmetric. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x y Now the goal is trivial. refl_if < trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

44 More Proof Tactics X Let us finish up the lemma and see the proof term. refl_if < Qed. intros x. intros Ey. elim Ey. intros y Rxy. apply R_transitive with y. trivial. apply R_symmetric. trivial. refl_if is defined Coq < Print refl_if. refl_if = fun ( x : D) ( Ey : exists y : D, R x y) => ex_ind ( fun (y : D) ( Rxy : R x y) => R_transitive x y x Rxy ( R_symmetric x y Rxy )) Ey : forall x : D, ( exists y : D, R x y) -> R x x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

45 Smullyan s Drinkers Paradox I We will prove Smullyan s drinkers paradox: in any non-empty bar, there is a person such that she drinks then everyone drinks. Let us set up the context. Coq < Section DrinkersParadox. Coq < Require Import Classical. Coq < Hypothesis bar : Set. bar is assumed Coq < Hypothesis Joe : bar. Joe is assumed Coq < Hypothesis drinks : bar -> Prop. drinks is assumed Note that Joe is in the bar. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

46 Smullyan s Drinkers Paradox II Here is what we want to prove. Coq < Lemma drinker : exists x : bar, drinks x -> forall y : bar, drinks y. bar : Set Joe : bar drinks : bar -> Prop exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

47 Smullyan s Drinkers Paradox III By LEM, we have ( x bar( drinks x)) ( x bar( drinks x)). We consider the two cases. drinker < Check ( classic ( exists x : bar, ~ drinks x)). classic ( exists x : bar, ~ drinks x) : ( exists x : bar, ~ drinks x) \/ ~ ( exists x : bar, ~ drinks x) drinker < elim ( classic ( exists x : bar, ~ drinks x)). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

48 Smullyan s Drinkers Paradox IV We introduce the hypothesis non drinker. drinker < intros non_drinker. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

49 Smullyan s Drinkers Paradox V We eliminate non drinker and obtain an instance. drinker < elim non_drinker ; intros Jane Jane_non_drinker. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x Jane : bar Jane_non_drinker : ~ drinks Jane exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

50 Smullyan s Drinkers Paradox VI The tactic exists uses a term as a witness to an existential formula. drinker < exists Jane. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x Jane : bar Jane_non_drinker : ~ drinks Jane drinks Jane -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y How does exists compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

51 Smullyan s Drinkers Paradox VII Observe that we have a contradiction. The tactic tauto will do. drinker < tauto. bar : Set Joe : bar drinks : bar -> Prop ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

52 Smullyan s Drinkers Paradox VIII We introduce a hypothesis for the other subgoal. drinker < intros no_non_drinker. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

53 Smullyan s Drinkers Paradox IX Joe is our witness. drinker < exists Joe. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) drinks Joe -> forall y : bar, drinks y We introduce more hypotheses. drinker < intros Joe_drinker y. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y: bar drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

54 Smullyan s Drinkers Paradox X For y bar, we have drinks y drinks y by LEM. drinker < elim ( classic ( drinks y)). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar drinks y -> drinks y subgoal 2 is: ~ drinks y -> drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

55 Smullyan s Drinkers Paradox XI The first subgoal is easy. drinker < tauto. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar ~ drinks y -> drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

56 Smullyan s Drinkers Paradox XII We introduce a hypothesis that y does not drink. drinker < intros y_non_drinker. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

57 Smullyan s Drinkers Paradox XIII This is contradictory to no non drinker. drinker < absurd ( exists x, ~ drinks x). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y ~ ( exists x : bar, ~ drinks x) subgoal 2 is: exists x : bar, ~ drinks x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

58 Smullyan s Drinkers Paradox XIV Again, the first subgoal is trivial. The second subgoal has a witness y. drinker < trivial. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y exists x : bar, ~ drinks x drinker < exists y; trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

59 Smullyan s Drinkers Paradox XV Let us finish up the lemma and see its proof term. drinker < Qed. (* proof script skipped *) Coq < Print drinker. drinker = or_ind ( fun non_drinker : exists x : bar, ~ drinks x => ex_ind (fun (Jane : bar ) ( Jane_non_drinker : ~ drinks Jane ) => ex_intro ( fun x : bar => drinks x -> forall y : bar, drinks y) Jane ( fun H : drinks Jane => let H0 := Jane_non_drinker H in False_ind ( forall y : bar, drinks y) H0 )) non_drinker ) (fun no_non_drinker : ~ ( exists x : bar, ~ drinks x) => ex_intro ( fun x : bar => drinks x -> forall y : bar, drinks y) Joe ( fun (_ : drinks Joe ) (y : bar ) => or_ind ( fun H : drinks y => H) ( fun y_non_drinker : ~ drinks y => False_ind ( drinks y) ( let H := ex_intro ( fun x : bar => ~ drinks x) y y_non_drinker in ( let H0 := no_non_drinker in fun H1 : exists x : bar, ~ drinks x => H0 H1) H)) ( classic ( drinks y )))) ( classic ( exists x : bar, ~ drinks x)) : exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, / 59

Predicate Logic. Bow-Yaw Wang. Institute of Information Science Academia Sinica, Taiwan. November 22, 2017

Predicate Logic. Bow-Yaw Wang. Institute of Information Science Academia Sinica, Taiwan. November 22, 2017 Predicate Logic Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan November 22, 2017 Bow-Yaw Wang (Academia Sinica) Predicate Logic November 22, 2017 1 / 157 8 The Coq Proof Assistant